Tracking Outbound SPAM

found in the mac os X system admin list

Just wanted to say thanks to Michael Wise for taking time out today
and providing me with a great set of forensic tools and techniques
for locating message queue IDs, and using postcat on the queue to
view actual messages/headers. Now I can start the real investigation.
Haven’t found the offending script yet, but am getting closer.

Notes from my conversation with Michael, for the archives:

* First, find suspicious looking lines in /var/log/mail.log

* Look for the smtp ID, such as: postfix/smtp[25897]

* Grep for other instances of that ID in the log: grep 25897
mail.log

* From there, youll be able to see postfix queue IDs, such as
159A347C89C

* You can use this queue ID to find deferred messages in the
postfix queue

* The messages are stored in a format not easily readable. To
make them readable, use the postcat command, e.g. postcat deferred/E/
E9B8F4F0E7C

* Now you can see the real message, with all of its headers,
which should give you a lot more info about its origins. You can see
whether it came from outside, or if it comes from a process ID, there
should be some indication. If user is www, you know its coming from
a web script.

* To delete a message from the queue, use e.g.: postsuper -d
E9B8F4F0E7C Do not use the path with this command – just the queue ID.